Bug 1671343 (CVE-2017-18360)

Summary: CVE-2017-18360 kernel: Division by zero in change_port_settings in drivers/usb/serial/io_ti.c resulting in a denial of service
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, airlied, bhu, brdeoliv, bskeggs, dhoward, dmoppert, dvlasenk, fhrbata, hdegoede, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, nmurray, plougher, rt-maint, rvrbovsk, steved, vdronov, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A division-by-zero in set_termios(), when debugging is enabled, was found in the Linux kernel. When the [io_ti] driver is loaded, a local unprivileged attacker can request incorrect high transfer speed in the change_port_settings() in the drivers/usb/serial/io_ti.c so that the divisor value becomes zero and causes a system crash resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-20 21:18:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1540721, 1553351, 1671752, 1671753, 1671755    
Bug Blocks: 1671344    

Description Andrej Nemec 2019-01-31 13:05:27 UTC 
A division-by-zero in set_termios() when debugging is enabled was found in the Linux kernel. When [io_ti] driver is loaded a local unprivileged attacker can request incorrect high transfer speed in the change_port_settings() in the drivers/usb/serial/io_ti.c so that the divisor value becomes zero and causes a system crash and a denial-of-service.

References:

https://marc.info/?l=linux-usb&m=149449572020916&w=2

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6aeb75e6adfaed16e58780309613a578fe1ee90b
Comment 10 Product Security DevOps Team 2020-05-20 21:18:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-18360